Spying on Mac users exposed Using Nozka’s cloud storage services to communicate with its operators. The goal of the attackers is to collect information from the victims’ computers by leaking documents and keystrokes, records of email messages and files attached to them, records of files located in removable storage, and screenshots | All details
Researchers from the information security company ESET have uncovered a new backdoor in macOS that allows spying on users of infected Macs and exclusively uses cloud storage services to communicate with its operators. The capabilities of the victim, which the ESET researchers named CloudMensis, clearly show that the attackers’ goal is to collect information from the victims’ computers by leaking documents and keystrokes, records of email messages and files attached to them, records of files found in removable storage, and screenshots.
CloudMensis is a threat to Mac users, but its very limited distribution suggests that it was likely used as part of a targeted operation. According to the observed data, the malicious operators send CloudMensis to specific targets that interest them. The use of loopholes to bypass macOS restrictions shows that malware operators are actively trying to maximize the success of their espionage operations. However, no unknown vulnerabilities (zero-day vulnerabilities) used by the group were found during our research. Therefore, it is recommended to use an updated version of macOS to avoid bypassing the built-in security measures used by the attackers.
“We still don’t know how CloudMensis was initially distributed and who its targets are. The overall quality of the malware’s code and the lack of secrecy show that the malware’s creators are likely inexperienced in Mac software development and not that sophisticated. However, considerable resources have been invested in the effort to turn CloudMensis into a spy tool powerful and a threat to its potential targets,” explains ESET researcher Marc-Etienne Lavey who analyzed CloudMensis.
After CloudMensis receives permission to run code and administrator privileges, it runs an initial malware that downloads and installs a second, more powerful malware from a cloud storage service.
This second step is a much larger component that contains several options for collecting information from the compromised computer. It is clear that the goal of the attackers is espionage: leaking documents, screenshots, email attachments and other sensitive information. Currently, there are 39 commands that the victim is able to execute.
CloudMensis uses cloud storage both to receive commands from its operators and to leak the files. It supports three different cloud service providers: pCloud, Yandex Disk and Dropbox. The settings in the analyzed example include authentication tokens for pCloud and Yandex Disk.
The accompanying data (Metadata) from the cloud storage services used by the victim reveal interesting details about the activity, for example – the victim began sending orders to bots from February 4, 2022.
Apple recently acknowledged the existence of the spy that targets users of its products and introduces Lockdown Mode to iOS, iPadOS and macOS, which turns off options in the operating system that are usually used to run code and activate harmful ones.